FORBIDDEN: CVE-2011-3368, no patches against this issue DEPRECATED: apache13 is deprecated, migrate to 2.2.x+ now This port expired on: 2011-11-01 IGNORE: is forbidden: CVE-2011-3368, no patches against this issueMaintainer:apache@FreeBSD.orgPort Added:unknownAlso Listed In:securityLicense: not specified in port

Apache + OpenSSL (Apache-SSL)
Uses the public domain SSL implementation known as OpenSSL, integrated
into the Apache server to provide a public domain HTTPS server using
Netscape Secure Sockets Layer (SSL), versions 2 and 3 and TLS version
1. There are licensing issues in connection with use of the OpenSSL
code in the US, and there are ITAR restrictions on export, even though
the OpenSSL code is obtained from an overseas location.
Full details can be found on the web at:
WWW: http://www.apache-ssl.org
Details of OpenSSL can be found at:
http://www.openssl.org

- mark apache13 FORBIDDEN (CVE-2011-3368)
* There are no patches from upstream and already existing
exploids in the wild.
- ru-apache13 ports have long outstanding issues and are far
behind last apache13 patches.
with hat apache@
Feature safe: yes

- Set EXPIRATION_DATE to an actual date (9.0 is behind, so guess 2 months from
now).
- This can be changed later as needed, if at all, either way we won't remove
them
until after 9.0 is released.
With Hat: apache@
Reported by: dvl via freshports

Fix a few "bad example" problems in the rc.d scripts that have been
propogated by copy and paste.
1. Primarily the "empty variable" default assignment, which is mostly
${name}_flags="", but fix a few others as well.
2. Where they are not already documented, add the existence of the _flags
(or other deleted empties) option to the comments, and in some cases add
comments from scratch.
3. Replace things that look like:
prefix=%%PREFIX%%
command=${prefix}/sbin/foo
to just use %%PREFIX%%. In many cases the $prefix variable is only used
once, and in some cases it is not used at all.
4. In a few cases remove ${name}_flags from command_args
5. Remove a long-stale comment about putting the port's rc.d script in
/etc/rc.d (which is no longer necessary).
No PORTREVISION bumps because all of these changes are noops.

- Fix security issue in mod_rewrite.
All people using mod_rewrite are strongly encouraged to update.
An off-by-one flaw exists in the Rewrite module, mod_rewrite.
Depending on the manner in which Apache httpd was compiled, this
software defect may result in a vulnerability which, in combination
with certain types of Rewrite rules in the web server configuration
files, could be triggered remotely. For vulnerable builds, the nature
of the vulnerability can be denial of service (crashing of web server
processes) or potentially allow arbitrary code execution.
This issue has been rated as having important security impact
by the Apache HTTP Server Security Team
Updates to latest versions will follow soon.
Notified by: so@ (simon)
Obtained from: Apache Security Team
Security: CVE-2006-3747

Remove the FreeBSD KEYWORD from all rc.d scripts where it appears.
We have not checked for this KEYWORD for a long time now, so this
is a complete noop, and thus no PORTREVISION bump. Removing it at
this point is mostly for pedantic reasons, and partly to avoid
perpetuating this anachronism by copy and paste to future scripts.

- Update to 1.3.28.1.49.
- Add suexec support
- Misc changes
- Add a footnote for users, to announce them that next version
will be a complete resync with apache13 ports layout.
PR: 57300
Submitted by: sheepkiller@cultdeadsheep.org

Unmark this port from being forbidden; the reason by its time was that
the port had been updated to 1.2.27 and ssl-1.48 which simply did not
exist then.
Now they do exist. Since it builds, installs and runs correctly with
no further changes, and all the other apache-1.2.27-based ports are
back alive again, there's no reason to keep this one forbidden.
Don't be alarmed that the MD5 sum changes: the previous one in
distinfo was actually the checksum from apache_1.3.26+ssl_1.48.tar.gz,
since the last update to that file only changed the name but not the
MD5 sum. Alas, i could not find any authoritative MD5 on
http://www.apache-ssl.org/ to verify against.

Update all ports using OpenSSL and RSA to work without rsaref since it is no
longer required. Apologies to the various maintainers whom I did not yet hear
back from, but the ports freeze is coming up in a few hours and I will be
verifying all of these ports on a 4.1 machine myself to catch any problems.